[U-Boot] [PATCH 04/10] ARM: allocate extra space for PSCI stack in secure section during link phase

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Marc Zyngier <marc.zyngier@arm.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 04/10] ARM: allocate extra space for PSCI stack in secure section during link phase
Date: Wed, 25 May 2016 15:31:34 +0100	[thread overview]
Message-ID: <5745B746.8040407@arm.com> (raw)
In-Reply-To: <CAGb2v66wCi9LAUwrEsVXHQiYPuFzrMpdo69phS3F5=Os2qON-A@mail.gmail.com>

On 24/05/16 16:49, Chen-Yu Tsai wrote:
> Hi,
> 
> On Tue, May 24, 2016 at 9:58 PM, Marc Zyngier <marc.zyngier@arm.com> wrote:
>> On 24/05/16 11:21, Marc Zyngier wrote:
>>> On 23/05/16 13:41, Chen-Yu Tsai wrote:
>>>> The PSCI implementation expects at most 2 pages worth of space reserved
>>>> at the end of the secure section for its stacks. This was not properly
>>>> marked and taken into consideration when reserving memory from the
>>>> kernel.
>>>>
>>>> If one accesses PSCI after Linux has fully booted, the memory that should
>>>> have been reserved for the PSCI stacks may have been used by the kernel
>>>> or userspace, and would be corrupted. Observed after effects include the
>>>> system hanging or telinit core dumping when trying to reboot. It seems
>>>> the init process gets hit the most on my test bed.
>>>>
>>>> This fix is only a stop gap. It would be better to rework the stack
>>>> allocation mechanism, maybe with proper usage of CONFIG_ macros and an
>>>> explicit symbol.
>>>>
>>>> Signed-off-by: Chen-Yu Tsai <wens@csie.org>
>>>> ---
>>>>  arch/arm/cpu/u-boot.lds | 3 +++
>>>>  1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/arch/arm/cpu/u-boot.lds b/arch/arm/cpu/u-boot.lds
>>>> index cfab8b041234..c7f37b606ad5 100644
>>>> --- a/arch/arm/cpu/u-boot.lds
>>>> +++ b/arch/arm/cpu/u-boot.lds
>>>> @@ -67,6 +67,9 @@ SECTIONS
>>>>              SIZEOF(.__secure_start) +
>>>>              SIZEOF(.secure_text);
>>>>
>>>> +    /* Align to page boundary and skip 2 pages */
>>>> +    . = (. & ~ 0xfff) + 0x2000;
>>>> +
>>>>      __secure_end_lma = .;
>>>>      .__secure_end : AT(__secure_end_lma) {
>>>>              *(.__secure_end)
>>>>
>>>
>>> Something worries me here. The PSCI stacks are on the secure side (in
>>> your case in SRAM), and shouldn't be part of the u-boot binary. If Linux
>>> sees some corruption, that's because you're not putting the stacks where
>>> they should, and that's where the issue is.
>>>
>>> One possible bug would be if like the stack address computing is done
>>> using absolute addresses from one of the labels, and not using
>>> PC-relative addresses.
>>>
>>> And crucially, this:
>>>
>>> +     ldr     r3, =psci_text_end              @ end of monitor text
>>>
>>> which was introduced by 4c681a3d22f0 ("ARM: Factor out reusable
>>> psci_get_cpu_stack_top").
>>>
>>> Unless you actually relocate this value, this will base your stack in
>>> RAM, corrupting the hell out of the whatever is there, and moving the
>>> goalpost by 8kB is just papering over the issue.
>>>
>>> The original code was:
>>>
>>> +       adr     r5, text_end            @ end of text
>>> +       add     r5, r5, #0x2000         @ Skip two pages
>>> +       lsr     r5, r5, #12             @ Align to start of page
>>> +       lsl     r5, r5, #12
>>> +       sub     sp, r5, r4              @ here's our stack!
>>>
>>> which had its own share of bug, but was actually safe, thanks to the use
>>> of 'adr' and not 'ldr'.
>>>
>>> Can you please check whether this value gets relocated?
>>
>> I had a check by building a semi-recent u-boot (that is, one that
>> actually builds), and the relocation seems to be correct (I've forced a
>> call to relocate_secure_section() in an unsuspecting command). I feel
>> relieved.
>>
>> So this bug only affects systems that have their PSCI in main memory.
>> Maybe a CONFIG_ALLOCATE_PSCI_STACK_IN_RAM would be in order so that
>> systems with SRAM do not have to see their u-boot grow by another 8kB?
> 
> Maybe we could just put the new macro in the "#ifndef CONFIG_ARMV7_SECURE_BASE"
> above? The code get relocated if CONFIG_ARMV7_SECURE_BASE is set, and the
> region is not reserved. I think the current status is that if one uses
> CONFIG_ARMV7_SECURE_BASE then it should be secure SRAM/DRAM.

Yup, that'd work.

> 
> I'll also make it clear in the commit message that this only affects
> systems that put PSCI in main memory.
> 
> Sorry for the confusion.
> 
> 
> Regards
> ChenYu
> 
> P.S. I wonder if we should do a size check for the secure section?

That'd make sense. Given how hard it has become to keep the A20 SPL
under 24kB in the recent months, having a basic check on the size of the
relocated part would be a good thing. Probably for a separate patch
series though.

Thanks,

	M.
-- 
Jazz is not dead. It just smells funny...

next prev parent reply	other threads:[~2016-05-25 14:31 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-23 12:41 [U-Boot] [PATCH 00/10] sunxi: PSCI implementation rewrite in C Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 01/10] ARM: PSCI: use only r0 and r3 in psci_get_cpu_stack_top() Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 02/10] ARM: PSCI: save and restore clobbered registers in v7_flush_dcache_all Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 03/10] ARM: PSCI: export common PSCI function declarations for C code Chen-Yu Tsai
2016-05-24  9:58   ` Marc Zyngier
2016-05-24 15:55     ` Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 04/10] ARM: allocate extra space for PSCI stack in secure section during link phase Chen-Yu Tsai
2016-05-24 10:21   ` Marc Zyngier
2016-05-24 13:58     ` Marc Zyngier
2016-05-24 15:49       ` Chen-Yu Tsai
2016-05-25 14:31         ` Marc Zyngier [this message]
2016-05-23 12:41 ` [U-Boot] [PATCH 05/10] sunxi: Make CPUCFG_BASE macro names the same across families Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 06/10] sunxi: Group cpu core related controls together Chen-Yu Tsai
2016-05-24  8:15   ` Marc Zyngier
2016-05-24 16:06     ` Chen-Yu Tsai
2016-05-25 14:38       ` Marc Zyngier
2016-05-23 12:41 ` [U-Boot] [PATCH 07/10] sunxi: Add missing linux/types.h header for cpucfg.h Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 08/10] sunxi: Add CPUCFG debug lock and sun7i cpu power controls Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 09/10] sunxi: Add base address for GIC Chen-Yu Tsai
2016-05-23 12:41 ` [U-Boot] [PATCH 10/10] sunxi: Add PSCI implementation in C Chen-Yu Tsai
2016-05-24  8:41   ` Marc Zyngier
2016-05-25  2:14     ` Chen-Yu Tsai
2016-05-25 14:50       ` Marc Zyngier
2016-05-24  6:37 ` [U-Boot] [PATCH 00/10] sunxi: PSCI implementation rewrite " Hongbo Zhang
2016-05-24  9:36 ` Hans de Goede

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5745B746.8040407@arm.com \
    --to=marc.zyngier@arm.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox